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AMENDMENTS TO THE CLAIMS 

1.-20. (canceled) 

21 . (currently amended) An apparatus for determining secure endpoints of tunnels in 
a network that uses Internet security protocol, comprising: 
a network interface that is coupled to the network for receiving one or more 

packet flows therefrom; 
a processor; 

one or more stored sequences of instructions which, when executed by the 
processor, cause the processor to carry out the steps of: 
sending from a first network device a first description of network traffic 

that is to be protected, wherein the first description comprises a 

first set of network addresses; 
receiving, at the first network device and from a second network device, a 

second description of network traffic that is to be protected, 

wherein the second description comprises a second set of network 

addresses; 

creating and storing a third description of network traffic that is to be 
protected based on determining a logical intersection of the first 
description of network traffic and the second description of 
network traffic, wherein the step of creating and storing a third 
description further comprises the step of determining a largest 
common subset between the first set of network addresses and the 
second set of network addresses; and 
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establishing the secure connection between the first network device and 
the second network device based on the third description of 
network traffic : and 

wherein the first description comprises a packet summary value that 
summarizes packets in the network traffic to be protected, and 
wherein the second description is generated by the second network 
device based on comparing the packet summary value to one or 
more access control lists that are managed by the second network 
device . 

22. (previously presented) The apparatus of claim 21 , wherein the first description 
comprises a first protocol and the second description comprises a second protocol, and 
further comprising sequences of instructions which, when executed by the processor, 
cause the processor to perform the steps of determining a third protocol for the third 
description based on determining a logical intersection of the first protocol and the 
second protocol. 

23. (currently amended) The apparatus of claim 24- 22, wherein the sequences of 
instructions that cause the processor to perform determining the third protocol comprise 
sequences of instructions which, when executed by the processor, cause the processor to 
perform: 

determining that the third protocol is IP when both the first description and the 

second description identify IP as a protocol; 
determining that the third protocol is a specific protocol when the first description 

identifies IP and the second description identifies a non-IP protocol; 
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determining that the third protocol is a either an IP or non-IP protocol when both 
the first description and the second description identify the same protocol 
of either an IP or non-IP protocol. 

24. (canceled). 

25. (previously presented) The apparatus of claim 21, wherein the first description of 
network traffic comprises a packet summary that includes: 

IP protocol information that is associated with the network traffic emanating from 
a source end host, wherein the source end host is associated with the first 
network device; 

port information that is associated with the source end host; 

port information that is associated with a destination end host, wherein the 
destination end host is associated with the second network device; 

an IP address that is associated with the source end host; 

an IP address that is associated with the destination end host; and 

a proxy address of the source end host; and 

wherein the second description is generated by the second network device based 
on comparing the packet summary to one or more access control lists that 
are managed by the second network device. 

26. (previously presented) The apparatus of claim 21, further comprising sequences 
of instructions which, when executed by the processor, cause the processor to 
perform: 
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determining, at the second network device, whether the packet summary matches 
a security policy information that is associated with the second network 
device; 

wherein the packet summary is associated with the first description of network 
traffic. 

27. (previously presented) The apparatus of claim 21, wherein the second description 
of network traffic comprises a response that includes: 

IP protocol information that is associated with the network traffic emanating from 
a destination end host, wherein the destination end host is associated with 
the second network device; 
an IP address that is associated with the second network device; and 
proxy addresses that are associated with a destination end host. 

28. (previously presented) The apparatus of claim 27, wherein the proxy addresses 
that are associated with the destination end host include a first subnet that includes the 
destination end host and a second subnet that includes a source end host, wherein the 
source end host is associated with the first network device. 

29. (previously presented) The apparatus of claim 21, wherein the sequences of 
instructions that cause the processor to perform deriving a third description of network 
traffic further comprise sequences of instructions which, when executed by the processor, 
cause the processor to perform: 

determining based on the first description of network traffic and the second 
description of network traffic a first intersection proxy comprising 
protocol information; 
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determining based on the first description of network traffic and the second 

description of network traffic a second intersection proxy comprising port 
information; and 

determining based on the first description of network traffic and the second 

description of network traffic a third intersection proxy comprising proxy 
address information. 

30. (previously presented) The apparatus of claim 2 1 , further comprising sequences 
of instructions which, when executed by the processor, cause the processor to perform the 
steps of: 

receiving at the first network device an IP packet from a source end host that is 

associated with the first network device; 
verifying that the IP packet falls within the third description of network traffic. 

3 1 . (previously presented) The apparatus of claim 21 , wherein the first description 
comprises a first port value and the second description comprises a second port value, 
and further comprising the steps of determining a third port value for the third description 
based on determining a logical intersection of the first port value and the second port 
value. 

32. (previously presented) The apparatus of claim 3 1 , wherein the sequences of 
instructions that cause the processor to perform determining the third port value 
comprises sequences of instructions which, when executed by the processor, cause the 
processor to perform the steps of: 
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determining that the third port value is a specific port value when both the first 
description and the second description identify the same specific port 
value; 

determining that the third port value is a specific port value when one of the first 
description and the second description identify the specific port value. 

33. (previously presented) The apparatus of claim 21 , wherein the network addresses 
comprise a network address and a network mask. 

34. (currently amended) An apparatus for determining secure endpoints of tunnels in 
a network that uses Internet security protocol, comprising: 

means for sending from a first network device a first description of network 

traffic that is to be protected, wherein the first description comprises a first 
set of network addresses; 

means for receiving, at the first network device and from a second network 
device, a second description of network traffic that is to be protected, 
wherein the second description comprises a second set of network 
addresses; 

means for creating and storing a third description of network traffic that is to be 
protected based on determining a logical intersection of the first 
description of network traffic and the second description of network 
traffic, wherein the step of creating and storing a third description further 
comprises the step of determining a largest common subset between the 
first set of network addresses and the second set of network addresses; and 
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means for establishing the secure connection between the first network device and 
the second network device based on the third description of network 
traffic : and 

wherein the first description comprises a packet summary value that summarizes 
packets in the network traffic to be protected, and wherein the second 
description is generated by the second network device based on comparing 
the packet summary value to one or more access control lists that are 
managed by the second network device . 

35. (previously presented) The apparatus of claim 34, wherein the network addresses 
comprise a network address and a network mask. 

36. (previously presented) The apparatus of claim 34 5 wherein the first description 
comprises a first protocol and the second description comprises a second protocol, and 
further comprising sequences of instructions which, when executed by the processor, 
cause the processor to perform the steps of determining a third protocol for the third 
description based on determining a logical intersection of the first protocol and the 
second protocol. 

37. (currently amended) The apparatus of claim 54 36, wherein the sequences of 
instructions that cause the processor to perform determining the third protocol comprise 
sequences of instructions which, when executed by the processor, cause the processor to 
perform: 

determining that the third protocol is IP when both the first description and the 
second description identify IP as a protocol; 
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determining that the third protocol is a specific protocol when the first description 
identifies IP and the second description identifies a non-IP protocol; 

determining that the third protocol is a either an IP or non-IP protocol when both 
the first description and the second description identify the same protocol 
of either an IP or non-IP protocol. 

38. (canceled). 

39. (previously presented) The apparatus of claim 34, wherein the first description of 
network traffic comprises a packet summary that includes: 

IP protocol information that is associated with the network traffic emanating from 
a source end host, wherein the source end host is associated with the first 
network device; 

port information that is associated with the source end host; 

port information that is associated with a destination end host, wherein the 
destination end host is associated with the second network device; 

an IP address that is associated with the source end host; 

an IP address that is associated with the destination end host; and 

a proxy address of the source end host; and 

wherein the second description is generated by the second network device based 
on comparing the packet summary to one or more access control lists that 
are managed by the second network device. 

40. (previously presented) The apparatus of claim 34, further comprising sequences 
of instructions which, when executed by the processor, cause the processor to perform: 
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determining, at the second network device, whether the packet summary matches 
a security policy information that is associated with the second network 
device; 

wherein the packet summary is associated with the first description of network 
traffic. 

41 . (currently amended) A method for determining secure endpoints of tunnels in a 
network that uses Internet security protocol, the method comprising the computer- 
implemented steps of : 

receiving, at a second network device and from a first network device, a first 
description of network traffic that is to be protected, wherein the first 
description comprises a first set of network addresses; 
in response to receiving the first description of network traffic, creating and 

sending to the first network device a second description of network traffic 
that is to be protected, wherein the second description comprises a second 
set of network addresses; 
receiving at the second network device a third description of network traffic that 
is to be protected from the first network device based on a logical 
intersection of the first description of network traffic and the second 
description of network traffic, wherein the third description comprises a 
largest common subset between the first set of network addresses and the 
second set of network addresses; and 
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establishing the secure connection between the first network device and the 

second network device based on the third description of network traffic; 
and 

wherein the first description comprises a packet summary value that summarizes 
packets in the network traffic to be protected, and wherein the second 
description is generated by the second network device based on comparing 
the packet summary value to one or more access control lists that are 
managed by the second network device . 
42. (currently amended) A method for determining secure endpoints of tunnels in a 
network that uses Internet security protocol, the method comprising the computer- 
implemented steps of : 

sending from a first network device a first description of network traffic that is to 
be protected, wherein the first description comprises a first set of network 
addresses; 

receiving, at the first network device and from a second network device, a second 
description of network traffic that is to be protected, wherein the second 
description comprises a second set of network addresses; 

creating and storing a third description of network traffic that is to be protected 
based on determining a logical intersection of the first description of 
network traffic and the second description of network traffic, wherein the 
step of creating and storing a third description further comprises the step 
of determining a largest common subset between the first set of network 
addresses and the second set of network addresses; and 
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establishing the secure connection between the first network device and the 

second network device based on the third description of network traffic; 
and 

wherein the first description comprises a packet summary value that summarizes 
packets in the network traffic to be protected, and wherein the second 
description is generated by the second network device based on comparing 
the packet summary value to one or more access control lists that are 
managed by the second network device , 
(currently amended) A computer-readable medium carrying one or more 
sequences of instructions for determining secure endpoints of tunnels in a network 
that uses Internet security protocol, which instructions, when executed by one or 
more processors, cause the one or more processors to carry out the steps of: 
sending from a first network device a first description of network traffic that is to 
be protected, wherein the first description comprises a first set of network 
addresses; 

receiving, at the first network device and from a second network device, a second 
description of network traffic that is to be protected, wherein the second 
description comprises a second set of network addresses; 

creating and storing a third description of network traffic that is to be protected 
based on determining a logical intersection of the first description of 
network traffic and the second description of network traffic, wherein the 
step of creating and storing a third description further comprises the step 
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of determining a largest common subset between the first set of network 
addresses and the second set of network addresses; and 
establishing the secure connection between the first network device and the 

second network device based on the third description of network traffic; 
and 

wherein the first description comprises a packet summary value that summarizes 
packets in the network traffic to be protected, and wherein the second 
description is generated by the second network device based on comparing 
the packet summary value to one or more access control lists that are 
managed by the second network device , 
(currently amended) A computer-readable medium carrying one or more 
sequences of instructions for establishing a secure connection between two 
network devices, which instructions, when executed by one or more processors, 
cause the one or more processors to carry out the steps of: 
receiving, at a second network device and from a first network device, a first 
description of network traffic that is to be protected, wherein the first 
description comprises a first set of network addresses; 
in response to receiving the first description of network traffic, creating and 

sending to the first network device a second description of network traffic 
that is to be protected, wherein the second description comprises a second 
set of network addresses; 
receiving at the second network device a third description of network traffic that 
is to be protected from the first network device based on a logical 
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intersection of the first description of network traffic and the second 
description of network traffic, wherein the third description comprises a 
largest common subset between the first set of network addresses and the 
second set of network addresses; and 
establishing the secure connection between the first network device and the 

second network device based on the third description of network traffic; 
and 

wherein the first description comprises a packet summary value that summarizes 
packets in the network traffic to be protected, and wherein the second 
description is generated by the second network device based on comparing 
the packet summary value to one or more access control lists that are 
managed bv the second network device . 



(new) The apparatus of Claim 34, wherein: 

said first network device comprises a first endpoint host associated with 

the first network device; and 
said second network device comprises a second endpoint host associated 

with the second network device. 



. No. 4540 



14 



